问题描述
|
在android中,我正在使用以下语句。
model = dataHelper.rawQuery(\"SELECT _id,engword,lower(engword) as letter FROM word WHERE letter >= \'a\' AND letter < \'{\' AND engword LIKE \'%\" + filterText + \"%\'\",new String[ {\"_id\",\"engword\",\"lower(engword) as letter\"});
扔android.database.sqlite.SQLiteException: bind or column index out of range: handle 0x132330
我的代码有什么问题?解决方法
正确的声明是:
model = dataHelper.rawQuery(\"
SELECT _id,engword,lower(engword) as letter
FROM word W
HERE letter >= \'a\'
AND letter < \'{\'
AND engword LIKE ? ORDER BY engword ASC
\",new String[] {\"%\" + filterText + \"%\"}
);
,您提供了3个参数,但查询中没有“ 3”。将null而不是字符串数组作为第二个参数传递给rawQuery
,或将所选字符串中的select5ѭ,engword
和lower(engword) as letter
替换为?
1)
model = dataHelper.rawQuery(\"SELECT ?,?,? FROM word WHERE letter >= \'a\' AND letter < \'{\' AND engword LIKE \'%\" + filterText + \"%\'\",new String[] {\"_id\",\"engword\",\"lower(engword) as letter\"});
2)
model = dataHelper.rawQuery(\"SELECT _id,lower(engword) as letter FROM word WHERE letter >= \'a\' AND letter < \'{\' AND engword LIKE \'%\" + filterText + \"%\'\",null);
编辑:
正如@Ewoks指出的那样,选项(1)是不正确的,因为准备好的语句只能在WHERE子句中获取参数(?s)。,如果有人像我一样尝试(并失败)使它与getContentResolver().query
一起工作,那么我将如何管理它:
*由于@CL和@Wolfram Rittmeyer的评论而更新,因为他们说这与rawQuery相同*
正确方法:
public static String SELECTION_LIKE_EMP_NAME = Columns.EMPLOYEE_NAME
+ \" like ?\";
Cursor c = context.getContentResolver().query(contentUri,PROJECTION,SELECTION_LIKE_EMP_NAME,new String[] { \"%\" + query + \"%\" },null);
先前对SQL注入攻击开放的答案:
public static String SELECTION_LIKE_EMP_NAME = Columns.EMPLOYEE_NAME
+ \" like \'%?%\'\";
String selection = SELECTION_LIKE_EMP_NAME.replace(\"?\",query);
Cursor c = context.getContentResolver().query(contentUri,selection,null,null);